-
Notifications
You must be signed in to change notification settings - Fork 35
/
custom-win-fw-drop
126 lines (117 loc) · 5 KB
/
custom-win-fw-drop
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#!/bin/bash
#
# /var/ossec/integrations/custom-win-fw-drop
#
# Custom Wazuh integration script to use the Wazuh API to invoke a Windows active response to firewall block an offending IP
# in response to one or more alert-triggering events on a Windows system.
#
# developed by Kevin Branch 3/13/2020
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Wazuh can't automatically invoke Windows active response firewall blocks because ossec-analysisd is limited to passing only three
# alert fields to an AR script (path, srcip, dstuser). Windows events use a source IP field that Wazuh dynamically decodes as
# data.win.eventdata.ipAddress which cannot be automatically passed by the active response code in ossec-analysisd.
# However, the Wazuh API be used to invoke AR scripts on agents with arbitraty parameters. Thus this integration can be set to be
# triggered by the same criteria you use in your Windows firewall block active-response section. It will then extract the
# data.win.eventdata.ipAddress and agent.id field from the alert JSON record and use them in a Wazuh API call that will correctly
# trigger a Windows AR firewall block on an agent.
#
# Active response section required in ossec.conf (use timeout length and criteria of your choice)
# <active-response>
# <command>netsh-win-2016</command>
# <location>local</location>
# <rules_id>60204</rules_id>
# <timeout>120</timeout>
# </active-response>
#
# Integration section required in ossec.conf (use the same criteria as in your active-response section)
# <integration>
# <name>custom-win-fw-drop</name>
# <rule_id>60204</rule_id>
# <alert_format>json</alert_format>
# </integration>
#
# File required: /var/ossec/etc/api_creds (customized to reach the Wazuh API on your standalone or Wazuh master node manager)
# APIPROTO=http
# APIHOST=127.0.0.1
# APIPORT=55000
# APIUSER=admin
# APIPASS=ChangeMe1
#
# If you are using a Wazuh manager cluster, then put this custom integration script, the above ossec.conf sections and the above
# api_creds file in place on all of your manager nodes.
#
LOCAL=`dirname $0`;
SERVER=`hostname`
cd $LOCAL
cd ../
PWD=`pwd`
echo "`date` $0 $1 $2 $3" >> ${PWD}/logs/integrations.log
ALERTFILE=$1
if [ "$ALERTFILE" == "" ]; then
echo "no alert file specified" >> ${PWD}/logs/integrations.log
exit 1
fi
if [ ! -f $ALERTFILE ]; then
echo "alert file missing" >> ${PWD}/logs/integrations.log
exit 1
fi
if [ ! -f /var/ossec/etc/api_creds ]; then
echo "Wazuh API credentials file missing: /var/ossec/etc/api_creds" >> ${PWD}/logs/integrations.log
exit 1
fi
. /var/ossec/etc/api_creds
if [ "$APIPROTO" == "" ]; then
echo "no APIPROTO set in API credentials file" >> ${PWD}/logs/integrations.log
exit 1
fi
if [ "$APIHOST" == "" ]; then
echo "no APIHOST set in API credentials file" >> ${PWD}/logs/integrations.log
exit 1
fi
if [ "$APIPORT" == "" ]; then
echo "no APIPORT set in API credentials file" >> ${PWD}/logs/integrations.log
exit 1
fi
if [ "$APIUSER" == "" ]; then
echo "no APIUSER set in API credentials file" >> ${PWD}/logs/integrations.log
exit 1
fi
if [ "$APIPASS" == "" ]; then
echo "no APIPASS set in API credentials file" >> ${PWD}/logs/integrations.log
exit 1
fi
IP=`cat $ALERTFILE | egrep -o 'ipAddress":"[^"]+' | awk -F\" '{print $NF}'`
AGENTID=`cat $ALERTFILE | egrep -o 'agent":{"id":"[^"]+' | awk -F\" '{print $NF}'`
RULEID=`cat $ALERTFILE | egrep -o 'rule":{[^{]+"id":"[^"]+' | awk -F\" '{print $NF}'`
if [ "$IP" == "" ]; then
echo "'data.win.eventdata.ipAddress' field missing in alert record" >> ${PWD}/logs/integrations.log
exit 1
fi
if [ "$AGENTID" == "" ]; then
echo "'agent.id' field missing in alert record" >> ${PWD}/logs/integrations.log
exit 1
fi
if [ "$RULEID" == "" ]; then
echo "'rule.id' field missing in alert record" >> ${PWD}/logs/integrations.log
exit 1
fi
# Determine the timeout period actually defined for the AR
DUR=`grep "netsh-win-2016" /var/ossec/etc/shared/ar.conf | cut -d" " -f1 | cut -c15-`
if [ "$DUR" == "" ]; then
echo "No stateful netsh-win-2016 active response section is defined in this manager's ossec.conf file" >> ${PWD}/logs/integrations.log
exit 1
fi
# Send API request to invoke AR
RESULT=`curl -X PUT -u "$APIUSER:$APIPASS" -k $APIPROTO://$APIHOST:$APIPORT/active-response/$AGENTID -H 'Content-Type:application/json' -d "{\"command\":\"netsh-win-2016$DUR\", \"arguments\": [\"-\", \"$IP\", \"integration\", \"$RULEID\"]}" 2> /dev/null`
# Throw an error if a positive response was not received from the API
if [[ ! `echo $RESULT | grep "Command sent"` ]]; then
echo "API call failed" >> ${PWD}/logs/integrations.log
echo $RESULT >> ${PWD}/logs/integrations.log
exit 1
fi
exit 0